Remove mac_create_root_mount() and mpo_create_root_mount(), which

provided access to the root file system before the start of the init process. This was used briefly by SEBSD before it knew about preloading data in the loader, and using that method to gain access to data earlier results in fewer inconsistencies in the approach. Policy modules still have access to the root file system creation event through the mac_create_mount() entry point. Removed now, and will be removed from RELENG_6, in order to gain third party policy dependencies on the entry point for the lifetime of the 6.x branch. MFC after: 3 days Submitted by: Chris Vance <Christopher dot Vance at SPARTA dot com> Sponsored by: SPARTA
2005-09-19 13:59:57 +00:00 · 2005-09-19 13:59:57 +00:00 · 583b25a64f
commit 583b25a64f
parent 67624ed0f7
7 changed files with 0 additions and 73 deletions
--- a/sys/kern/init_main.c
+++ b/sys/kern/init_main.c
@ -533,10 +533,6 @@ start_init(void *dummy)

 	vfs_mountroot();

-#ifdef MAC
-	mac_create_root_mount(td->td_ucred, TAILQ_FIRST(&mountlist));
-#endif
-
 	/*
 	 * Need just enough stack to hold the faked-up "execve()" arguments.
 	 */
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@ -921,14 +921,6 @@ mac_create_mount(struct ucred *cred, struct mount *mp)
 	    mp->mnt_fslabel);
 }

-void
-mac_create_root_mount(struct ucred *cred, struct mount *mp)
-{
-
-	MAC_PERFORM(create_root_mount, cred, mp, mp->mnt_mntlabel,
-	    mp->mnt_fslabel);
-}
-
 int
 mac_check_mount_stat(struct ucred *cred, struct mount *mount)
 {
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@ -837,19 +837,6 @@ mac_biba_create_mount(struct ucred *cred, struct mount *mp,
 	mac_biba_copy_effective(source, dest);
 }

-static void
-mac_biba_create_root_mount(struct ucred *cred, struct mount *mp,
-    struct label *mntlabel, struct label *fslabel)
-{
-	struct mac_biba *mac_biba;
-
-	/* Always mount root as high integrity. */
-	mac_biba = SLOT(fslabel);
-	mac_biba_set_effective(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
-	mac_biba = SLOT(mntlabel);
-	mac_biba_set_effective(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
-}
-
 static void
 mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp,
    struct label *vnodelabel, struct label *label)
@ -3086,7 +3073,6 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_create_devfs_directory = mac_biba_create_devfs_directory,
 	.mpo_create_devfs_symlink = mac_biba_create_devfs_symlink,
 	.mpo_create_mount = mac_biba_create_mount,
-	.mpo_create_root_mount = mac_biba_create_root_mount,
 	.mpo_relabel_vnode = mac_biba_relabel_vnode,
 	.mpo_update_devfsdirent = mac_biba_update_devfsdirent,
 	.mpo_associate_vnode_devfs = mac_biba_associate_vnode_devfs,
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@ -958,19 +958,6 @@ mac_lomac_create_mount(struct ucred *cred, struct mount *mp,
 	mac_lomac_copy_single(source, dest);
 }

-static void
-mac_lomac_create_root_mount(struct ucred *cred, struct mount *mp,
-    struct label *mntlabel, struct label *fslabel)
-{
-	struct mac_lomac *mac_lomac;
-
-	/* Always mount root as high integrity. */
-	mac_lomac = SLOT(fslabel);
-	mac_lomac_set_single(mac_lomac, MAC_LOMAC_TYPE_HIGH, 0);
-	mac_lomac = SLOT(mntlabel);
-	mac_lomac_set_single(mac_lomac, MAC_LOMAC_TYPE_HIGH, 0);
-}
-
 static void
 mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp,
    struct label *vnodelabel, struct label *label)
@ -2617,7 +2604,6 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_create_devfs_directory = mac_lomac_create_devfs_directory,
 	.mpo_create_devfs_symlink = mac_lomac_create_devfs_symlink,
 	.mpo_create_mount = mac_lomac_create_mount,
-	.mpo_create_root_mount = mac_lomac_create_root_mount,
 	.mpo_relabel_vnode = mac_lomac_relabel_vnode,
 	.mpo_update_devfsdirent = mac_lomac_update_devfsdirent,
 	.mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs,
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@ -806,19 +806,6 @@ mac_mls_create_mount(struct ucred *cred, struct mount *mp,
 	mac_mls_copy_effective(source, dest);
 }

-static void
-mac_mls_create_root_mount(struct ucred *cred, struct mount *mp,
-    struct label *mntlabel, struct label *fslabel)
-{
-	struct mac_mls *mac_mls;
-
-	/* Always mount root as high integrity. */
-	mac_mls = SLOT(fslabel);
-	mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
-	mac_mls = SLOT(mntlabel);
-	mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
-}
-
 static void
 mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp,
    struct label *vnodelabel, struct label *label)
@ -2860,7 +2847,6 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_create_devfs_directory = mac_mls_create_devfs_directory,
 	.mpo_create_devfs_symlink = mac_mls_create_devfs_symlink,
 	.mpo_create_mount = mac_mls_create_mount,
-	.mpo_create_root_mount = mac_mls_create_root_mount,
 	.mpo_relabel_vnode = mac_mls_relabel_vnode,
 	.mpo_update_devfsdirent = mac_mls_update_devfsdirent,
 	.mpo_associate_vnode_devfs = mac_mls_associate_vnode_devfs,
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@ -224,13 +224,6 @@ stub_create_mount(struct ucred *cred, struct mount *mp,

 }

-static void
-stub_create_root_mount(struct ucred *cred, struct mount *mp,
-    struct label *mntlabel, struct label *fslabel)
-{
-
-}
-
 static void
 stub_relabel_vnode(struct ucred *cred, struct vnode *vp,
    struct label *vnodelabel, struct label *label)
@ -1438,7 +1431,6 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_create_sysv_shm = stub_create_sysv_shm,
 	.mpo_create_vnode_extattr = stub_create_vnode_extattr,
 	.mpo_create_mount = stub_create_mount,
-	.mpo_create_root_mount = stub_create_root_mount,
 	.mpo_relabel_vnode = stub_relabel_vnode,
 	.mpo_setlabel_vnode_extattr = stub_setlabel_vnode_extattr,
 	.mpo_update_devfsdirent = stub_update_devfsdirent,
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@ -917,16 +917,6 @@ mac_test_create_mount(struct ucred *cred, struct mount *mp,
 	ASSERT_MOUNT_LABEL(fslabel);
 }

-static void
-mac_test_create_root_mount(struct ucred *cred, struct mount *mp,
-    struct label *mntlabel, struct label *fslabel)
-{
-
-	ASSERT_CRED_LABEL(cred->cr_label);
-	ASSERT_MOUNT_LABEL(mntlabel);
-	ASSERT_MOUNT_LABEL(fslabel);
-}
-
 static void
 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
    struct label *vnodelabel, struct label *label)
@ -2472,7 +2462,6 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
 	.mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
 	.mpo_create_mount = mac_test_create_mount,
-	.mpo_create_root_mount = mac_test_create_root_mount,
 	.mpo_relabel_vnode = mac_test_relabel_vnode,
 	.mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
 	.mpo_update_devfsdirent = mac_test_update_devfsdirent,